7:48 a.m.
I'm wanting configure keycloak to use authenticate against a SAML
federation (externally curated set of IdPs) rather than a single SAML
IdP. Specifically I want to support EduGAIN.
Is this something that keycloak supports natively? The form for
configuring a SAML Identity provider appears to assume a single IdP.
If not, does anyone have any suggestions for the best approach to
bridging a shibboleth SP into something keycloak can use as an Identity
provider.
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth(a)epcc.ed.ac.uk Phone 0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
4:50 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Stephan,
take a look at CYCLONE Project (maybe you can get some hints)l
https://github.com/cyclone-project
http://www.cyclone-project.eu/
regards,
- --eZ
On Mon, 2019-06-17 at 12:48 +0000, BOOTH Stephen wrote:
I'm wanting configure keycloak to use authenticate against a SAML
federation (externally curated set of IdPs) rather than a single
SAML
IdP. Specifically I want to support EduGAIN.
Is this something that keycloak supports natively? The form for
configuring a SAML Identity provider appears to assume a single IdP.
If not, does anyone have any suggestions for the best approach to
bridging a shibboleth SP into something keycloak can use as an
Identity
provider.
Stephen
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEx9dEkuuJI7eRUeqr6I6Je6FrlCMFAl0Is9sACgkQ6I6Je6Fr
lCMulhAAhNZETs5gC4aqa4OA5igprnZ39Fm8AAO5lfoPl4/iKVRBv8XhffdAsNEr
TdtmVunNOvfXRAOjQW7dd3z1NEF8fkDXBI3+mZvtKUfOwZAyaXrB4InMLn/KgxuP
JOSXoF6uUaBWliobvTiv+t428YnzGAmlAyUnEc2VJbSgCScGVGvmn7cr4w+Zk1Wc
VoXLJn/aOA41LbsoBHfhTP4hr4h3SexHkl13wDlgp31+0q8elWqXhZrQ18J4yQkE
ZupU2MNa0EFZFoshVkiyzdH0Th7bF9hmGfACZ5Uhz1wT2BOaNxOzpGfTM7dHtn9o
JY9bhtlOjUBPCD3KwyBG1xntE14fgL1VQ5ktkPOYfMBVhWJ/IhMxY2iB6GkzBQxT
s4w/AkvXQ5gk/YClHpQGjik+vF00/5NRfQHW2b6iDlAFwqRcR8XIgwYc+c1K+j7Z
PEh5cCFn/rA4LjhCtzMZ02o7sAY+Qopp7CuwJXlb7FmXsKyqkvCfRWxEaxOV8v1U
CJDP5xEwJMKYuDSPVbwT8yF1X0xyc7ZuH/4obpZ9lHexThCJ/nBAHr/zMW2U5TKt
/gxdiBHzlL7Shc8qciqWZvUlYADo8ZXTvdGTZD/y8XMT4THpxe5GY0aMZ6+wBn90
UOo7hQwM4U2LrjRYdrcwqo4Vl4uLfHtKoGRmzJZ9ch5RKx0ZNlE=
=DyQ1
-----END PGP SIGNATURE-----
3:32 a.m.
Hi Stephen,
Was just browsing past threads. You’ve probably solved it by now but hopefully this helps
others!
We are using a SATOSA proxy to integrate with eduGAIN, which acts as an Identity Provider
to our Keycloak instance: https://github.com/IdentityPython/SATOSA
In addition we use PyFF to handle the metadata: https://github.com/IdentityPython/pyFF
The benefit of using these tools is because they are maintained by the eduGAIN community
and natively support many of the quirks found in Identity Federations (both technically
and in terms of trust and policy).
Cheers,
Hannah
On 17 Jun 2019, at 14:48, BOOTH Stephen
<s.booth@epcc.ed.ac.uk<mailto:s.booth@epcc.ed.ac.uk>> wrote:
I'm wanting configure keycloak to use authenticate against a SAML
federation (externally curated set of IdPs) rather than a single SAML
IdP. Specifically I want to support EduGAIN.
Is this something that keycloak supports natively? The form for
configuring a SAML Identity provider appears to assume a single IdP.
If not, does anyone have any suggestions for the best approach to
bridging a shibboleth SP into something keycloak can use as an Identity
provider.
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth@epcc.ed.ac.uk<mailto:s.booth@epcc.ed.ac.uk> Phone 0131 650
5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:43 a.m.
Thanks to everyone who replied its really useful to have a number of
known solutions to this problem.
For my original use case I've ended up implementing a basic OIDC Idp in
an existing application that is already using the SAML federation, and
can bridge to keycloak that way. This lets me seamlessly carry over my
existing users and registrations.
Stephen
On 29/07/2019 09:32, Hannah Short wrote:
Hi Stephen,
Was just browsing past threads. You’ve probably solved it by now but
hopefully this helps others!
We are using a SATOSA proxy to integrate with eduGAIN, which acts as an
Identity Provider to our Keycloak instance:
https://github.com/IdentityPython/SATOSA
In addition we use PyFF to handle the metadata:
https://github.com/IdentityPython/pyFF
The benefit of using these tools is because they are maintained by the
eduGAIN community and natively support many of the quirks found in
Identity Federations (both technically and in terms of trust and policy).
Cheers,
Hannah
> On 17 Jun 2019, at 14:48, BOOTH Stephen <s.booth(a)epcc.ed.ac.uk
> <mailto:s.booth@epcc.ed.ac.uk>> wrote:
>
> I'm wanting configure keycloak to use authenticate against a SAML
> federation (externally curated set of IdPs) rather than a single SAML
> IdP. Specifically I want to support EduGAIN.
>
> Is this something that keycloak supports natively? The form for
> configuring a SAML Identity provider appears to assume a single IdP.
>
> If not, does anyone have any suggestions for the best approach to
> bridging a shibboleth SP into something keycloak can use as an Identity
> provider.
>
> Stephen
>
> --
> ======================================================================
> |epcc| Dr Stephen P Booth Principal Architect |epcc|
> |epcc| s.booth(a)epcc.ed.ac.uk <mailto:s.booth@epcc.ed.ac.uk>
> Phone 0131 650 5746 |epcc|
> ======================================================================
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth(a)epcc.ed.ac.uk Phone 0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
8:48 p.m.
Hi,
IIUC I had a similar requirement, described in thread [1], where a SAML
only SP did not support multiple IdPs (in this case, these were different
KeyCloak realms themselves). We arrived at the IdP federation approach
after discussing internally and implemented that successfully, in the
browser flow.
Basically, each realm was added as a separate federated OIDC IdP in a
"broker" realm. A SAML client was created in the broker realm and the SP
was pointed to that. During authentication, the user is shown all the
realms as federated IdP options in the login form, and when selected the
user will be able to authenticate against the required realm. With a set of
mappers associated with each IdP configuration, a well-formed SAML
assertion could be returned to the SP to do role mapping successfully. I
haven't used SATOSA but from a brief glance, looks like SAML<->SAML flow is
the same as what KC provides OOTB.
Hope this helps too :)
[1] - https://lists.jboss.org/pipermail/keycloak-user/2019-July/018721.html
Regards,
Chamila
Blog: medium.com/@chamilad
On Mon, Jul 29, 2019 at 8:34 PM Hannah Short <hannah.short(a)cern.ch> wrote:
Hi Stephen,
Was just browsing past threads. You’ve probably solved it by now but
hopefully this helps others!
We are using a SATOSA proxy to integrate with eduGAIN, which acts as an
Identity Provider to our Keycloak instance:
https://github.com/IdentityPython/SATOSA
In addition we use PyFF to handle the metadata:
https://github.com/IdentityPython/pyFF
The benefit of using these tools is because they are maintained by the
eduGAIN community and natively support many of the quirks found in Identity
Federations (both technically and in terms of trust and policy).
Cheers,
Hannah
On 17 Jun 2019, at 14:48, BOOTH Stephen <s.booth(a)epcc.ed.ac.uk<mailto:
s.booth(a)epcc.ed.ac.uk>> wrote:
I'm wanting configure keycloak to use authenticate against a SAML
federation (externally curated set of IdPs) rather than a single SAML
IdP. Specifically I want to support EduGAIN.
Is this something that keycloak supports natively? The form for
configuring a SAML Identity provider appears to assume a single IdP.
If not, does anyone have any suggestions for the best approach to
bridging a shibboleth SP into something keycloak can use as an Identity
provider.
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth@epcc.ed.ac.uk<mailto:s.booth@epcc.ed.ac.uk> Phone
0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1975
days inactive
2019
days old
4 comments
4 participants
participants (4)
-
BOOTH Stephen -
chamila -
Ernedin Zajko -
Hannah Short